On April 11, the United States Court of Appeals for the Fourth Circuit rendered one of the first appellate-level decisions dealing with insurance coverage for a cyber event. The Fourth Circuit confirmed that a commercial general liability insurer was obligated, under the policy’s “personal and advertising injury” coverage, to defend its insured against a class-action lawsuit arising out of the inadvertent posting of patient medical records on the internet. The decision is an important victory for policyholders because it validates a position against which insurers have aggressively fought for the past several years—coverage for cyber events is not only available under specialized “cyber” policies, but may also be obtained under traditional commercial policies.
The case, The Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC, involved a company specializing in maintaining and safeguarding medical records for hospitals, clinics, and other healthcare providers (Portal). In 2013, two patients of an upstate New York hospital discovered that their confidential hospital records were publicly accessible on the internet. When each of the patients entered her name into Google’s search engine, the first result that came up was a link to a file containing her treatment history, lab data, medications, examination results, and other private information. The patients filed a putative class-action against Portal, which had been engaged by the hospital to provide electronic storage and maintenance of patients’ medical records. The suit alleged that, due to Portal’s negligence, 2,300 hospital patients’ personal health information and other private data had been posted online without authorization, and was available to the public to view, copy, and download without restriction. According to the complaint, this information could be accessed simply by searching for a patient’s name in an internet search engine. While the complaint did not specify precisely how, or by whom, the data was posted to the internet, it alleged that Portal had acknowledged that “through human error,” its server had been left “open” or “unprotected” for a period of four months, thus leaving the medical information accessible through simple internet searches.
Portal turned to its commercial general liability (CGL) insurer, Travelers, to defend it in the class-action suit and to cover any resulting settlement or judgment. Portal had purchased CGL policies from Travelers for two successive policy years. The first policy contained an endorsement covering “those sums the insured becomes legally obligated to pay as damages because of . . . ‘web site injury’[.]” “Web site injury” was defined as injury “arising out of . . . [o]ral, written or electronic publication of material that . . . gives unreasonable publicity to a person’s private life.” The second policy contained the traditional CGL coverage for “personal and advertising injury” liability, covering “injury caused by [o]ral or written publication of material, including publication by electronic means, of material that . . . [d]iscloses information about a person’s private life.” After denying its duty to defend Portal, Travelers filed a complaint in the United States District Court for the Eastern District of Virginia, seeking a declaration that it was not required to defend Portal.
On cross-motions for summary judgment, Travelers argued that the underlying complaint did not allege a “publication” of private information because there were no allegations that third parties actually viewed the plaintiffs’ medical records. Travelers also contended that there had been no “unreasonable publicity” or “disclosure” because the complaint did not allege that Portal acted affirmatively to attract public interest in the records or that it disclosed plaintiffs’ information to anyone other than the plaintiffs themselves. In keeping with the broad scope of the duty to defend under Virginia law, the district court rejected Travelers’ arguments, entering summary judgment in Portal’s favor.
Relying heavily on the dictionary definition of “publication,” the district court found that information is “published” when it is merely “placed before the public.” The court also cited dictionary definitions of “publicity” as “the quality of state of being . . . exposed to the general view,” and “disclosure” as “[the] process of making something known that was previously unknown.” Thus, it was clear that Portal’s posting of medical records on the internet had effectively “placed before” all internet users private information that was previously unknown to the public. On appeal, Fourth Circuit agreed, holding that Travelers must defend Portal because the complaint alleged that “any member of the public with an internet connection could have viewed the plaintiffs’ private medical records during the time the records were available online[,]” and as such the information had been published and disclosed for the purposes of triggering Travelers’ duty to defend Portal.
The Portal decision is significant in that it found coverage for cyber liability under a CGL policy. Nevertheless, we expect insurers will contend that Portal should be limited to its facts. They are likely to argue that, in finding an act of “publication,” the court was heavily influenced by the fact that Portal’s own acts or omissions led to the plaintiffs’ damages, as opposed to the acts of a third party.
Among the lessons to be learned from Portal are:
- Victims of a cyber attack or data breach should examine all of their insurance policies. In addition to cyber policies, commercial general liability, errors and omissions, crime, first-party property and business interruption, and other types of policies may provide coverage;
- Some traditional policies may be purchased with endorsements extending coverage to “web site injury” or other cyber risk; and
- Policyholders should continue to expect strong resistance from insurers when it comes to providing coverage for a cyber event under traditional commercial policies.